SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

The US Department of Homeland Security (DHS) is expanding a program that offers bonus pay to attract talented cybersecurity employees to government positions, which traditionally pay less than private industry. The bonus program was piloted at the DHS's National Protection and Programs Directorate (NPPD) and will now be available to "the rest of its headquartered elements." -http://federalnewsradio.com/cybersecurity/2016/05/dhs-sweetens-cyber-workforce-recruiting-new-bonuses/[Editor's Note (Henry): The salary incentives offered here by DHS are valuable, in principle, but they need to be administered in a way that is both effective and consistent. I've seen similar government programs where people are put into a certain category because they've got the proper "credentials" check mark, but not necessarily the required experience or skillset. This has the potential to create a division in the ranks, whereby those who are already doing the job successfully but don't have the requisite accreditation are underpaid, while those brought in because they fit the bill on paper, but don't always have the full capabilities as others are more highly compensated. Certifications are a good start, but incenting employees based on actual skills, real-world experience, technical prowess and successful results is critically important. (Paller): Echoing Shawn Henry's remarks (recalling that he ran the cyber division at the FBI where technical skills' excellence mattered), DHS's bonus program will be a grave error if the certifications it uses measure the ability to talk about security rather than the hands-on skills needed to fix the problems or show organizations how to fix them. DHS has a history of misusing cybersecurity hiring authorities to hire general purpose IT people. If DHS misuses this new authority to reward people who can admire the problems but don't have the skills to correct the problems, Secretary Johnson should be called before Chairman Issa's Committee for an even tougher grilling than the one given to the OPM chief after the breach that hit her agency. (Pescatore): When I graduated college with an Electrical Engineering degree, NSA had salary incentives for EEs. The 25% increase made the grade 7 salary competitive with private industry back then. But, as this article notes, DHS really needs to look at why their turnover seems to be so high. Keeping good security people is probably more critical than hiring new college grads and giving them on the job training just to see them go to other agencies or private industry. ]

Locky Command-and-Control Server Breached (May 5, 2016)

Someone gained access to a command and control (C&C) server for Locky ransomware and exchanged the malicious payload for a benign file that displays the message, "Stupid Locky." Earlier this year, a Dridex C&C server was similarly compromised. -http://www.darkreading.com/endpoint/stupid-locky-network-breached/d/d-id/1325421?-http://www.theregister.co.uk/2016/05/05/locky_ramsomware_network_hacked/[Editor's Note (Honan): While some may welcome this type of "vigilante" approach, we need to be wary that C&C servers can hold very valuable intel and information for Law Enforcement Agencies. Compromising such systems could in turn compromise potential evidence that LEA may require to charge a suspect or such a compromise could disrupt a LEA led operation against those behind the C&C. ]

Michigan Company Loses US $495,000 to Transfer Fraud (May 3 and 5, 2016)

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/